A HOLISTIC APPROACH TO HEALTH CARE CYBERSECURITY

Like most industries, the health care sector uses connected networks to improve efficiency and leverage data. But, with this connectivity comes a major risk of cyberattacks.

Without thorough cybersecurity, a hospital’s cyber infrastructure may be vulnerable to a malicious breech. And it’s not just outside hacking attacks that staff need to worry about — intrusions can be introduced inside a network from an infected USB flash drive or through a vendor unknowingly creating an unprotected connection to the outside world.

A health care cyberattack likely occurs for one of two reasons: Accessing electronic health records to sell on the black market and hijacking systems and preventing access until a ransom is paid. Both types of attacks can be devastating for a hospital’s reputation and ability to continue to function. Unfortunately, creating a secure cyber network in today’s hyper-connected world is a bigger challenge than some hospital IT departments may realize.

The Internet of Things (IoT) refers to all the daily devices and everyday objects that are now enabled with network connectivity. Objects that formerly were not connected to the network — like appliances, light switches, and televisions — now are all connected and are collecting and sharing massive amounts of data. This same concept can be applied to a hospital building through the “Internet of Buildings” or IoB.

More than any other building type, hospitals have a significant number of potential smart devices, building systems, clinical equipment, and other leading-edge technology that can be connected, providing countless opportunities for workflow and systems to be more efficient and easily controlled. Everything from window shades to thermostats can exist in technological harmony with building systems, information technology systems, and clinical systems on one unified network.

However, while designing a hospital to achieve this level of connectivity has many benefits, it also opens the facility up to greater vulnerabilities. Each device that is connected to a network represents a potential intrusion point from a cybersecurity perspective. An IT department may not even be aware of the access points to the network created by less-technical devices that wouldn’t fall under their purview.

Image courtesy of Tima Miroshnichenko/Pexels

FIGURE 5. Without thorough cybersecurity, a hospital’s cyber infrastructure may be vulnerable to a malicious breech.

Hospitals can best protect their cyber infrastructure from malicious attack by taking a holistic approach to cybersecurity. This involves more than protecting the computers and tablets in the hospital. This starts with approaching the planning of the hospital with the understanding that designing information technology, building systems, and clinical equipment can no longer be carried out in silos. There must be a single, unified process that considers those systems holistically.

As the connectivity of devices and objects in a building grows, many hospitals also are utilizing cloud-based storage. Shifting the storage and processing of sensitive medical data and hospital servers to a third-party cloud provider with expertise in cybersecurity also protects the data at a level that few hospital systems can match. In addition, any intrusion that could come through a device on the IoB at the local level would be impeded from accessing important patient data because of improved network segmentation.

However, this solution won’t be the right fit for every hospital. The decision to have portions of a network be cloud-based or on-premise involves multiple considerations.

With so many systems with network connections — from audio/video systems to security systems to clinical equipment — a hospital may have hundreds of different types of devices that utilize some type of connectivity. Recognizing the vulnerability this creates and expanding the concept of cybersecurity to holistically protect against all potential threats is the first step in creating a more resilient hospital cyber infrastructure.

IN SUMMARY: 10 KEY AREAS FOR HOSPITAL DISASTER PREPAREDNESS

Establishing a disaster-resilient health care facility is becoming an exceedingly more complex problem, and even hospitals that feel confident in the resiliency of their building and contingency plans may find gaps and inconsistencies with the reality of today’s changing world.

In IMEG’s health care resiliency guide, the firm addresses five key areas or situations in which any hospital may be vulnerable: natural disasters and structural integrity, MEP infrastructure, physical security, mass casualty events and infection outbreaks, and cybersecurity. Based on this guide, here’s a checklist of key items to consider while addressing resiliency at your facility.

1. Cybersecurity: Guarding against this vulnerability goes beyond protecting computers and tablets — it should be a single, unified process that considers IT, building systems, and clinical equipment holistically as opposed to separate system silos.
2. Temporary utility connections: Ensure the facility has a backup generator and redundancy for chilled water and boilers.
3. Contingency for potable water: If a supply is interrupted, how will one flush toilets, wash and sterilize equipment, or provide drinking water? Determine how much water one needs, whether on-site storage is applicable, or if a pumper truck should be contracted. Then, enact procedures that save and reuse water (e.g., using recycled water to flush toilets or installing a roof drain for condensation recovery).
4. Infrastructure equipment location: Locate critical MEP equipment on higher levels of a facility to reduce the risk of flood damage – particularly if the hospital is in a floodplain or below sea level.
5. Access control: Restrict access points to the building for easier monitoring and potential visitor screening. Separate visitor and employee parking lots and use evenly lit, well-distributed lights to increase visibility and improve security camera coverage.
6. Emergency command center: Is the emergency response room hardened or located below grade? Ensure the facility has emergency power, access, and lighting in the event of a natural disaster.
7. Hardness of systems: Reinforce individual systems within the hospital to make them more resilient against disasters.
8. MEP infrastructure redundancy: Baseline redundancy for critical infrastructure systems (such as boilers, medical gas, and power) is required by code for health care facilities. However, additional redundancy should be a key consideration for disaster preparedness. Consider what would happen if any component of major infrastructure failed — and how staff could safeguard against this potential problem.
9. Infrastructure loading shedding: Provide a detailed plan for how units can be shut down, whether manual or automatic. Also, provide a prioritization matrix and test it often.
10. Planning and practice: Research and gather information for the facility, then create a risk analysis and prioritization matrix. From this, a strategic resilience plan and operations, readiness, and training framework can be prepared.

Mike Zorich, P.E., LEED AP, is IMEG’s national director of health care and a principal of the firm. He is a licensed mechanical engineer with more than 15 years of experience, all with IMEG.